SB2020052312 - OpenSUSE Linux update for python

Security Bulletin ID SB2020052312

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) CRLF injection (CVE-ID: CVE-2019-18348)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

2) Resource exhaustion (CVE-ID: CVE-2019-9674)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in Lib/zipfile.py in Python when processing ZIP archives. A remote attacker can pass a specially crafted .zip archive to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html